Bucbi Ransomware Revived, Distributed via Brute-Forcing RDP Accounts - How to, Technology and PC Security Forum | SensorsTechForum.com

Bucbi Ransomware Revived, Distributed via Brute-Forcing RDP Accounts

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Bucbi-ransomware-original-ransom-note-palo-alto-stforumSecurity researchers at Palo Alto Networks disclosed that an old ransomware family – Bucbi ransomware – has been just revived after 2 years of silence. The Bucbi threat was discovered in 2014, and it hasn’t been registered active since then. Not only it has been revived but it has also been updated. Above, you see the original ransom note used by Bucbi in 2014’s attacks.

Threat Summary

NameBucbi Ransomware
Short DescriptionBucbi ransomware was first spotted in 2014, but has been just revived.
Symptoms The victim’s files are inaccessible and encrypted.
Distribution MethodVia brute-forcing RDP accounts.
Detection Tool See If Your System Has Been Affected by Bucbi Ransomware


Malware Removal Tool

User ExperienceJoin our forum to find a solution for Bucbi Ransomware.

Bucbi Ransomware: Current Distribution

When it was first reported, Bucbi was spread via HTTP downloads and exploit kits. Now a new distribution technique has been adopted by its authors – delivery via brute-forcing RDP accounts on Internet-facing Windows servers. However, Bucbi’s code is also modified – it no longer needs Internet connection to propagate.

Learn More about Brute Force Attacks

Who Is Behind Bucbi Ransomware?

According to the ransom notes dropped by Bucbi, it’s operated by a far-right Ukrainian nationalist political party called Ukrainian Right Sector. According to Wikipedia, Right Sector has originated in 2014 as a paramilitary confederation at the Euromaidan revolt in Kiev. The group which opposes Russia became a political party on 22 March 2014. In 2014, Right Sector claimed to have approximately 10,000 members.

As for Bucbi’s recent attacks, it’s still not known whether the information about Right Sector provided in the ransom notes is accurate or falsified. However, multiple Russian identifiers have been discovered in the latest infections, which contradict to the ransomware authors’ claims of Ukrainian origin.

Bucbi Ransomware: Technical Overview

As already mentioned, Bucbi’s latest distribution depends on brute-forcing techniques and open RDP (Remote Desktop Protocol) ports. Palo Alto researchers believe that the threat actors may have used a tool named RDP Brute (Coded by z668). This is a list of the IP addresses associated with Bucbi’s latest attacks at the end of March 2016:

  • 184.197.69
  • 44.191.251
  • 117.151.236
  • 161.40.11
  • 101.31.126

Researchers also believe that the attackers first targeted PoS devices but later changed their tactics to monetize their malicious attempts. Palo Alto researchers have shared some of the usernames specific to PoS systems:

Some of the usernames specific to PoS systems include strings such as BPOS, FuturePoS, KahalaPoS, POS, SALES, Staff, and HelpAssistant.

More technical details of the attack find here: Palo Alto Networks Research Center

In conclusion, the latest variant of Bucbi ransomware implies to have been employed by Right Sector. If this claim is truthful, this would mean that the Ukranian far-right party has entered cybercrime, possibly to fund their cause, Palo Alto researchers write. However:

Attribution of this particular attack is difficult as there simply isn’t enough evidence to conclusively determine who is behind it. Various conflicting evidence make it impossible to say for sure. However, what is clear is that attackers are shifting tactics in how ransomware is deployed, and ensuring their malware is constantly being updated to deter defenders.

Bucbi Ransomware Removal & Decryption

Bucbi’s cryptography is still being investigated. More details will be available soon. It’s known that after the encryption process is finished, a README.txt will be placed on the user’s desktop:


The BitCoin address mentioned in the above screenshot has a single payment of 0.00896 BTC at the time of writing. This payment, being so low in value, was likely a test transaction used. The email address of ‘dopomoga.rs@gmail.com’ has ties with the Ukrainian Right Sector in a number of external publications […].

If you have been infected by Bucbi ransomware, consider following the steps below. However, since the threat is still being analyzed, there is no guarantee that encrypted files will be decrypted via any alternative methods.


Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share